Tuesday, December 20, 2011

Lync Server 2010: Building redundancy into your dial plans

We've had quite a bit of discussion lately about the behaviour associated with Lync Server 2010 call routing when a gateway is "down". The discussion was prompted by a customer outage scenario in which a voice gateway was used to connect a Nortel CS1000 PBX to Lync Server 2010. A single T1 interface was used to provide PBX to Lync calling and Lync to PSTN for certain dialing scenarios. The Nortel CS1000 implementation was vast and contained several H.323 trunks connecting various remote sites together for toll bypass and short digit dialing patterns.

The customer had an issue with one of the H.323 connections in the Nortel world which resulted in an outage to Lync Server. Looking deeper into the issue we discovered the dial plan in Lync Server had multiple phone usages with routes matching the same dialing pattern. For example, a user has a voice policy with two phone usages (see below):

Phone Usage Route Matching Pattern Gateway
NA-AB-Usage1 NA-AB-PBX-Route1 \+1 vgw1.contoso.local
NA-AB-Usage2 NA-AB-SIP-Route1 \+1 siptrunk1.provider.com

Given the above, I assumed Lync Server would match on the first usage, fail....then not use the second usage even if the pattern matched the route for the call. In certain situations this is correct while other situations is isn't. For example, if the gateway returns a 5xx level response to the Mediation server or if it's marked as "down", we will use the next phone usage matching the called number. If the gateway returns a 4xx level response to the Mediation server we will NOT try the next phone usage resulting call failure.

So what happens if we have a single phone usage with multiple routes?
In this case, the same behaviour would be experienced. A 5xx level SIP response to the Mediation server would permit a call to the second route in the same usage however a 4xx level response would result in a call failure. Adding multiple gateways to a route only causes them to be used in a round robin fashion and doesn't protect us from a 4xx level response. Below is an example of a phone usage with multiple routes:

Phone Usage Route Matching Pattern Gateway
NA-AB-Usage1 NA-AB-PBX-Route1 \+1 vgw1.contoso.local
NA-AB-SIP-Route1 \+1 siptrunk1.provider.com

Let's take a slight detour for a moment and talk about what happens when a gateway is down, how long it stays down for, and when or how long it takes for service to be restored.

How are gateways marked as "down"?
The Mediation Server sends a SIP OPTIONS request to the next hop gateway which can be viewed by running NetMon or Wireshark on the interface bound to the IP used by that service. If no reponse, or an invalid reponse is returned we raise event ID 25051, then increment a counter. Once the counter reaches five we raise event ID 25061 and 25052 thus marking the gateway "down". Subsequent failure events after this point will not be logged as described in event ID 25052.

Event ID 25051: First failure up to five attempts...

Event ID 25052: Tried five times, won't log it anymore...

Event ID 25061: Taking the gateway out of service (down)...

How long do they stay down for?
A gateway taken out of service by Lync Server will be re-tried every 1 minute which means we will put a gateway back in service very quickly once we receive a successful OPTIONS request. We follow this up by creating event ID 25062.

Event ID 25062: Back in business...

Even though the gateway is back in service from the Mediation server's perspective, Lync's OutBound Routing (OBR) logic may take up to 20 minutes to add it back as a viable call path. This is because the Lync OBR doesn't have access to the SIP OPTIONS status and will run an exponential back-off algorithm which is capped at 20 minutes.

What happens if the gateway is "unhealthy"?
When I use the word unhealthy I'm referring to a SIP response code in the 4xx range which would cause and OBR failure within Lync and ultimately a failure for the end user. Let's say given the original problem stated above we receive back a "SIP/2.0 488 Not Acceptable Here" from the gateway. Using Lync Server PowerShell commands we can create a new response code translation for the 488 message on that gateway as follows:

New-CsSipResponseCodeTranslationRule -Identity "PstnGateway: -ReceivedResponseCode 488 -TranslatedResponseCode 503

In the above example, Lync's OBR logic will retry the next route or phone usage if the pattern matches the called number.

What other useful examples are there?
Let's say you have a single T1/PRI and a SIP trunk at a location. The SIP trunk is used as an overflow for outbound calls if all ports on the T1/PRI are used up. Again, it wouldn't matter if you had multiple phone usages with the independent routes to the PRI or to the SIP trunk. The response code from the gateway will be a "SIP/2.0 486 Busy Here" when no channels are available. If we map the 486 response code to a 503, OBR will retry the next route or phone usage.

New-CsSipResponseCodeTranslationRule -Identity "PstnGateway: -ReceivedResponseCode 486 -TranslatedResponseCode 503

The exception to the above scenario would be if you were using a certified Lync Server gateway. A certified gateway will return a "SIP/2.0 503" instead of the "SIP/2.0 486".

So there you have it, you can use Lync Server to build out recovery scenarios based on certain responses from the gateway.
TechNet reference: http://technet.microsoft.com/en-us/library/gg413041.aspx

Saturday, October 1, 2011

SUCCESS! Install WIndows Server 2008 R2 on Lenovo W520

In my new job I received an amazing Lenovo W520 laptop as my primary device for doing business. The integrated 160GB SSD wasn't enough space for my liking and since I wanted to take advantage of the 16GB of memory, I decided to purchase a few goodies for it. My primary goal here by the way is to run Hyper-V and a few VM's for testing/demo purposes. Installing from the DVD isn't an option since I replaced the drive with a high capacity HDD.

First, I removed the DVD drive and installed a drive caddy (http://www.newmodeus.com/shop/index.php?main_page=product_info&cPath=2_7&products_id=400) along with a Seagate 750GB laptop drive from Memory Express.

Next, since my default install image of Windows 7 was missing a few drivers and key software components, I went to the Lenovo web site and downloaded their system update software which managed to get all relevant drivers and conveniently placed them on C:\drivers\win.

The next step was to format the 750GB drive with enough space to hold my Windows Server 2008 R2 installation along with some basic software. I then located my 8GB Patriot USB stick and began to format is as follows:
  1. Within Windows 7 open an Administrative command prompt and type diskpart
  2. Then list disk which will show you the available drives. You should see your USB drive and select it by typing select disk ##
  3. Type clean
  4. Then create partition primary
  5. Then active
  6. Next you need to actually format the USB key. You can choose FAT32 or NTFS and since my WIM install file is customized I chose NTFS as follows format fs=ntfs quick
  7. Then assign and finally quit the diskpart utility. You now have a bootable USB drive.

Next you need to copy the Windows Server 2008 R2 source media to the USB drive making sure to copy all files (its best to just use xcopy with /s /e /f /h switches).

Now you should be able to boot into Windows Server 2008 R2 with this USB device but MAKE SURE TO PLUG IT INTO THE REAR SLOT of the laptop. If you try any other slot I found it impossible to make Windows find the suitable drivers to proceed with setup.

BONUS: Install drivers from (C:) for the W520 onto USB (E:)
  1. From C:\Windows\System32 type Dism /Get-WimInfo /WimFile:E:\Sources\Install.wim. This will show you all images within the WIM file.
  2. Next, you need to extract the image you want to install the drivers into. Type Dism /Mount-Wim /Wim-File:E:\Sources\Install.wim /Name:"Windows Server 2008 R2 ENTERPRISEFULL" /MountDir:C:\jcstemp\offline
  3. Next we want to load the drivers recursively as follows: Dism /Image:C:\jcstemp\offline /Add-Driver /Driver:C:\drivers\win /Recurse
  4. Finally we need to close out our image back into the USB drive as follows: Dism /Unmount-Wim /MountDir:C:\jcstemp\offline /Commit
Now when you install Windows Server 2008 R2 you'll have all the necessary USB 3.0, Video, and chipset drivers to get going!


Monday, June 20, 2011

HOW TO: Configure AD RMS with Exchange; Soup to Nutz

It's been a while since I've posted anything related to Exchange and in the time between exam taking and projects I've been working on trying to get Active Directory Rights Management Services (AD RMS) to work with Exchange 2010.

Some of you may be asking yourself why this is important information or you might even be wondering what AD RMS is all about? Well it wasn't until recently that I became interested in this topic and consequently learned the ins and outs of rights management solutions. The topic came to mind when a colleague at work mentioned someone outside the organization had asked them for one of our internal documents. At first I thought "wow, that's some nerve!". Then I began to think about how an organization might attempt to protect this information from 'leakage'; (not this type of leakage). It wasn't the first time I encountered this type of situation but at the time the world of rights management and information leakage was blurred and convoluted. I can't say a lot has changed on this topic but at least Microsoft has started building native support for IRM/AD RMS into their applications such as Exchange Server 2010 and Office 2010.

Some of the challenges I've seen in the other documentation out there seem to exclude the configuration steps necessary to provide an end to end solution with respect to certificate auto-enrollment or AD RMS template configuration. So I'll try...

First off, you want to build up a VM just for the purpose of configuring AD RMS. You can collocate this role on another DC or server but just to make things 'cleaner' I chose to do it this way. In a production environment you may want to do the same.

Next, you'll configure Exchange, then your certificate infrastructure. Finally, we'll finish up with TMG publishing of the AD RMS infrastructure so everything works for your Internet facing employees and customers.

Step 1: Deploy AD RMS
  • Using the Add Roles Wizard in Server Manager, add the Active Directory Rights Management Services role to your new VM.
  • Select just the Active Directory Rights Management Server service and leave OFF the Identity Federation Support option.
  • Accept the default to create a new AD RMS cluster.
  • Choose to use an Internal Database.
  • Create a Domain User account and assign it to AD RMS (i used "adrmsuser").
  • Set the AD RMS Key storage location to be centrally managed.
  • Set the AD RMS Cluster Key Password.
  • Configure AD RMS to use an HTTPS connection by typing in the URL (i.e. adrms.contoso.com).
  • Choose to use an existing SSL certificate if you have one already. If not, get one!
  • Accept all remaining defaults.
At this point AD RMS will be installed into your Active Directory domain and a Service Connection Point (SCP) will be created. Exchange 2010 will use this SCP to discover the AD RMS cluster in the environment so the actual amount of configuration necessary is very little.

Step 2: Permit Exchange 2010 access to AD RMS
  • From your AD RMS server, navigate to %systemdrive%\Inetpub\wwwroot\_wmcs\Certification.
  • Right-click the ServerCertification.asmx file and click Properties.
  • Click the Security tab.
  • Click the Edit button.
  • In the Select User, Computer, Service Account, or Group dialog box, click Object Types, select Computers and click OK.
  • Type the names of the Exchange 2010 servers in your environment and click OK.
  • Grant Read & execute and the Read check boxes and click OK.
NOTE: Also check to make sure the local group on your AD RMS server called AD RMS Service Group exists here with the same permissions as outlined above.

Step 3: Configure AD RMS Super Users Group
  • Create a Universal Group (Distribution Group) in AD with a name like "ADRMS-SU" then mail enable it (i.e. ADRMS-SU@contoso.com).
  • Log onto your AD RMS server and open the Active Directory Rights Management Services console.
  • Expand Security Policies then click Super Users.
  • Click Enable Super Users.
  • In the results pane, click Change Super User Group to open the Super Users property sheet.
  • In the Super User group box, type the e-mail address of the designated super users group (ADRMS-SU@contoso.com), or click Browse to navigate through the defined users and groups in the directory then click OK.
Step 4: Configure Exchange 2010
  • Open an Exchange Management Shell window.
  • Type Set-IRMConfiguration -InternalLicensingEnabled:$True
Step 5: Configure automatic AD RMS Client certificate distribution
  • Run this command: schtasks /Change /TN "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)" /ENABLE
NOTE: This will enable automatic checking of templates at logon and at 3:00AM each day. To deploy this to all PC's in a domain, consider creating a GPO with a Startup script to run it (due to UAC in Vista and Windows 7, you may not be able to deploy a GPO with a Logon script).
  • IMPORTANT: You must add the following registry entry to the local system (can also be done via GPO) so that the IRM-enabled clients can find the template files.
    • HKCU\Software\Microsoft\Office\14.0\Common\DRM
      • Name: AdminTemplatePath
      • Type: REG_EXPAND_SZ
      • Data: %LocalAppData%\Microsoft\DRM\Templates
If you encounter a situation where the Outlook client can't find the templates, you will only see the default "Do Not Forward" template when you select one from the Permissions button on the ribbon. My suggestion here would be to create a GPO using the 2008 user preferences functionality. Create as many entries as you require to target certain operating systems and versions of Office. For example, you may want to create a single GPO where you populate the registry with values for both Office 2007 and 2010 (just in case). This makes it easier to maintain one GPO than separate ones....or simply use the Item Level Targeting feature of the GPO to determine when and where to apply it.

Step 6: Configure User Certificate Template
  • Log into your Certificate Services server.
  • Open the Certification Authority MMC.
  • Expand the server name in the console, right-click on Certificate Templates and choose Manage.
  • Right-click on the User template and choose Windows 2003 Server, Enterprise Edition.
  • Give the template a name such as "User Template Auto Enrollment".
  • Set the validity period to something acceptable.
  • Click the Request Handling tab and turn off Allow private key to be exported.
  • Click the Security tab and make sure Authenticated Users and Domain Users have Read, Enroll and Autoenroll enabled.
Step 7: Configure Auto Enrollment
  • Log into your server used to manage GPO's.
  • Create a new GPO and link it to an OU or to the Domain.
  • Create a User Configuration setting under Policies\Windows Settings\Security Settings\Public Key Policies.
  • Double-click the Certificate Services Client - Auto - Enrollment object.
  • Set the Configuration Model to Enabled.
  • Turn on Renew expired certificates, update pending certificates, and remove revoked certificates.
  • Turn on Update certificates that use certificate templates.
  • Turn on Expiration Notification then click OK.
  • Close your GPO editor.
At this point your users should automatically enroll their User certificate at logon to any machine matching the GPO you've created in step 6 above. Validate this by logging out and back in, then opening the certmgr.msc file and checking your Personal store.

Step 8: Define your external URL for AD RMS
  • Log into your AD RMS server.
  • Log onto your AD RMS server and open the Active Directory Rights Management Services console.
  • Click on the server name and choose Properties.
  • Click the Cluster URL's tab.
  • Turn on your Extranet URL's and specify an external DNS name (i.e. adrmsext.contoso.com) then click OK.
Step 9: Configure Microsoft Threat Management Gateway to access AD RMS

NOTE: Due to issues with my TMG environment I haven't been able to publish the rest of this article. I'll be back soon to finish it but for now we'll have to wait.

    Thursday, May 5, 2011

    SIP Trunking with Lync Server 2010 and reliability issues (calls only last 51 mins)

    I recently worked on a project for a customer who was interested in working with a local SIP trunk provider (ITSP) who is listed on the Microsoft OIP page for Lync Server 2010. We offered four connectivity methods to the client which consisted of the following:

    1. Full IP NAT connection to ITSP
    2. Public IP connection to ITSP
    3. Site-to-site IPSEC VPN connection to ITSP
    4. Layer 2 PVC using ISP link
    The customer decided to go with option 1 which meant we provisioned a new public IP and created a NAT to a private IP which was bound to the Lync server. Appropriate firewall rules were set up to permit SIP and RTP/RTCP packets between the two and for the most part everything worked really quite well.

    Incidentally, calls made to, or coming from the PSTN (ITSP) are using G.711 as a codec and if you have a reasonably reliable connection with low delay and jitter, you can expect good results.

    This particular customer had an interesting issue which resulted in their calls being dropped after being active on the phone for 51 minutes and 30 seconds (typically a conference call). After a series of funny looks asking if anyone else has seen this issue, I decided to dig into the Lync Server 2010 trunk configuration settings to see if we can fine tune something. The theory on why this was happening appeared to be related to the RTCP packets being blocked from the ITSP. Unfortunately I didn't have any evidence of this to share here but it makes sense. Looking at the default options for a Lync trunk connection, the following areas of interest are what I focused on:

    EnableSessionTimer ($true | $false)
    RTCPActiveCalls ($true | $false)
    RTCPCallsOnHold ($true | $false)

    The default option for a trunk in Lync Server 2010 is:

    EnableSessionTimer = False
    RTCPActiveCalls = True
    RTCPCallsOnHold = True

    Session timers will apply to a connection even if the trunk setting is "False" (this can occur when the remote side uses them). RTCPActiveCalls refer to the method of sending RTCP packets to determine if the call is still 'alive' or not. If these packets cease, the call is terminated after 30 seconds. The purpose of determining a valid call this way is because the SIP signaling for the call could traverse another path, such as Media Bypass, and/or become interrupted (brief network/device). The same applies to RTCPCallsOnHold but in a slightly different manner. Historically a call on hold without MOH will cease sending RTP packets and drop the peer (some of you may recall this being an issue on SNOM or Cisco sets).

    If my theory of RTCP packets being blocked (inbound) or not sent at all, I would think the call wouldn't last very long at all (i.e. no more than about 30 seconds). I attempted to set "EnableSessionTimer" to True but this didn't seem to make a difference. I had to set RTCPActiveCalls and RTCPCallsOnHold to False as well for the issue to go away. Again, in the end, the configuration I went with looks like this:

    EnableSessionTimer = True
    RTCPActiveCalls = False
    RTCPCallsOnHold = False

    Wednesday, May 4, 2011

    Calculating number of Mediation Servers and voice channels required for Lync Server 2010

    I generally hate doing something I don't fully understand or haven't been taught so I've taken some time to try and grasp the mind bending, eye crossing, fascination that is capacity planning with respect to voice systems.

    It all goes back to our Microsoft Certified Masters training for Lync Server 2010 in March/April of this year. Some of the pre-study content prescribed to us touches on what an "Erlang" is and why it's important to understanding voice systems design. In addition to this, the MCM program has us learn about applying factors such as Busy Hour Traffic (BHT), Blocking Percentage, Busy Hour Factor, and Erlangs against real world capabilities of Lync Server 2010.

    So let's start with the basics. What is an Erlang? Well, if you look up the Wikipedia definition it states:

    "The erlang (symbol E[1]) is a dimensionless unit that is used in telephony as a statistical measure of offered load or carried load on service-providing elements such as telephone circuits or telephone switching equipment."

    Basically, an Erlang represents one voice path, or one channel, or one line in constant use (sorry Adam). The reason an Erlang is important is because we need to eventually determine the number of concurrent channels required for sizing T1/E1 capacity or even determining the number of Mediation servers we need.

    The other important concept we need to understand is the Busy Hour Traffic (measured in Erlangs). BHT is the number of hours of call traffic during the busiest hour of the day. Said another way, BHT represents the maximum concurrent channels used during the busiest hour.

    In addition to understanding line usage, we need to grasp the idea of a blocking percentage. This means the likelihood of a call being denied (blocked) due to insufficient channels or lines (capacity). When planning for capacity you need to determine the acceptable blocking percentage for an organization. Some will permit only 1% which means 1 out of every 100 calls will be blocked due to insufficient line capacity. Other organizations are willing to accept 2.5% or more. 

    The last concept we need to cover is the Busy Hour Factor, represented in a percentage. The Busy Hour Factor is the percentage of minutes which are offered during the busiest hour of the day. The default is typically 17% for most businesses open during an 8 hour work window. We use the Busy Hour Factor to calculate the Erlangs based on a certain volume of minutes in a day.

    Clear as mud? Let's look at the following scenario:

    You are introduced to a customer who is looking to move to Lync Server 2010 and migrate from an existing PBX with 2 T1's. Rumors of an acquisition come true and the company plans to integrate more telephony capacity. You're given the phone statistics for both companies which works out to 37,000 minutes per day.

    What is the Busy Hour Traffic (BHT, measured in Erlangs)?
    What is the Busy Hour Factor (default is 17%)?
    What is the Blocking Percentage?
    How many T1's do you need?
    How many Mediation servers do you need?

    We actually can't answer these questions unless we have an "Erlang B" calculator which can be found here: http://www.erlang.com/calculator/erlb/. But first let's solve what we can. For those of you who wish to solve without assistance, the formula is:

    To calculate Busy Hour Traffic, we can multiply the Busy Hour Factor of 17% by the total number of minutes (37,000) then divide that by 60. The calculation looks like this: 

    37,000 * 0.17 / 60 = 104.8 BHT (Erlangs)

    Since the scenario didn't specify a blocking percentage, let's assume 1%. With this assumption and the calculated BHT value, we now have enough information to put into our "Erlang B" calculator to determine the number of lines or channels we need.

    This produces 122 lines.

    Knowing a T1 can handle 23 lines of voice traffic, we get 5.3 T1's being required. Now you can't have .3 of a T1 so maybe the client is willing to accept a higher blocking percentage to squeeze the traffic into 5 T1's. You can use the "Erlang B" calculator to determine what the blocking percentage would be in this case.

    5 T1's can carry 115 channels and with 104.8 BHT this produces a blocking percentage of 2.7%.

    Acceptable? Maybe...maybe not. It really depends on the customer.

    Now there are other clever ways of squeezing out a few more channels. NFAS is one way in which you can forgo the D-channel on each T1 if you've trunked several of them together. For example, 3 T1's would typically have 3 D-channels whereas with NFAS, you can get away with 1 D-channel between the group of three. This gives you two more B-channels for voice. Multiply that by 5 T1's and you get four more B-channels increasing your capacity from 115 to 119. Using the "Erlang B" calculator again....

    This produces a blocking percentage of 1.6%

    Not bad at all!

    Okay, so bringing things back to reality, we have a recommendation to the customer about how many T1's they need to plan for which is 5 using NFAS. The next question we need to answer is how many Mediation servers we need so let's look at some capacity numbers:

    A stand-alone Mediation server with quad 1Gb NIC with dual quad-core CPU's can support 800 - 1200 concurrent calls (not including media bypass).

    A collocated Mediation server with Front-End server can support 226 concurrent calls.

    Based on our Busy Hour Traffic number of 104.8 Erlangs, even a single collocated Mediation server on a Front-End server can handle all the traffic.

    Anyway, I hope this helps some of you understand the importance and complexity of sizing voice channels and servers. Microsoft has done an amazing job at increasing the capacity of concurrency with Lync Server 2010. Comments welcome.


    Thursday, April 21, 2011

    Can't sign into Lync phone over the Edge server using PIN authentication

    Well I'm back from Lync Masters in Redmond. I'll have more on that in another post coming very soon.

    For those of you wondering if you can sign into a Lync "Aries" phone (un-teathered) outside your network, the answer is....'well sort of'.

    The phone does need to sign in on the LAN successfully at least once so that it 'learns' the path to the web ticket service in order to get a client certificate. The client certificate will permit authentication to Lync if AD is down and plays into the branch survivability story quite well (with a few exceptions). Once the device has it's valid client certificate it will attempt to sign into a registrar by looking up the SRV record in DNS. It only does this one time if it finds a suitable registrar pool to register against. This is an important fact to remember. I'll say it again another way....the phone will NEVER go back to SRV lookup if it has been successfully authenticated against a registrar and signed in.

    The phones are designed to cache this information to reduce the burden on the network and to provide a survivable experience. This means if your pool name is "pool01.contoso.com" and the phone signed in against a front-end server, it will try to find that pool by name when you connect it at home or some other remote (outside the LAN) location. Again, the phone will NEVER go back to looking to DNS for the SRV record. If you perform a trace of the traffic you'll see this happen. The phone also caches the web services fqdn and will attempt to connect to it (if you have it published through ISA/TMG).

    So how do I make it work?
    Well it's simple really....use the name "sip.contoso.com" as your internal host name for your "_sipinternaltls._tcp.contoso.com" record. This name will match your external Access Edge fqdn IP and you should be able to sign in. Now I wouldn't recommend this approach. Just because it can be done doesn't make it a good idea.

    If the phone is signed in using a "common area phone" ID, then make sure you use the "Grant-CsExternalAccessPolicy" command to ensure the account can log in remotely.

    Watch out!
    Be aware of rogue devices leaking out of your network if you set it up to permit this activity. The certificate authentication mechanism will permit the phones to sign in EVEN IF THE AD ACCOUNT IS DISABLED. You must run a "Revoke-CsClientCertificate", disable the AD account for Lync, and disable the AD account to be safe.


    Thursday, March 3, 2011

    RESOLVED: Lync Monitoring Server Reports are empty

    Recently I deployed an Enterprise pool topology where the client added monitoring and archiving shortly afterward. I had a fully functional Lync environment with all the workloads and capabilities working just great. When we added the monitoring/archiving server I knew to also add the dependent roles/features such as MSMQ because these were always required.

    I later deployed the monitoring pack and had a few issues. First, the name of the account used by Lync to access SQL Reporting Services was typed in using the client's domain FQDN (i.e. contoso.local\lyncqoe). This resulted in an error indicating the deployment of the report pack couldn't grant "ReportsReadOnlyRole" and also threw: "Exception calling "Create" with "0" argument(s):".

    As it turns out the Lync report pack deployment wizard didn't like the format I used for the username which was "domainfqdn\username". Looking at the username format under the Logins section of SQL Management Studio I noticed it was using the NetBIOS domain name format instead. After running it again and using the legacy NetBIOS style name format, it worked (i.e. contoso\lyncqoe).

    The next issue was that the reports weren't showing any data. The services were all started on my Monitoring server and everything appeared to be working fine. There were no errors in the Monitoring server and I couldn't figure out what was wrong. It turns out the Enterprise Edition Front-End server also needs to have MSMQ with Directory Services integration installed to complete the message chain between the FE and Monitoring server.

    Once I installed this feature the reports were showing data immediately.

    I suppose my feedback to the Lync product team would be that the topology publishing wizard should have failed with an indication that these features were missing on the front-end and that monitoring wouldn't function at all until they were there. There is a hard stop on the Monitoring server role installation wizard....but nothing for the FE servers.

    Tuesday, February 15, 2011

    Microsoft Certified Master: Lync

    Here we go....I just received my acceptance into the Microsoft Certified Master program so I'm off to Redmond in March/April for the second Lync 2010 Masters course in Washington.
    I'll be sure to post what I can from time to time and illustrate the process and share as much information about the course as possible.

    See you on the other side!

    Thursday, January 20, 2011

    HOW TO: Use Call Admission Control to actually control a call in Lync Server 2010

    So you may have done some reading on what Call Admission Control (CAC) in Lync Server 2010 does and how it can add value in a distributed environment. There are several guides out there on the terminology and overview of CAC but I've found a slight gap in the practical application of it.

    Throughout reading the Microsoft documentation on Lync Server 2010 including the CHM file, I've stitched together what I believe is a reference design for CAC and the steps necessary to get it to actually work.

    First, you need to make sure you've configured CAC network regions, sites, subnets, policies, links and routes. If you haven't done your reading yet, buckle down and understand the concepts using this link: http://technet.microsoft.com/en-us/library/gg398842.aspx.

    At a high level, it looks like this:
    1. Create a CAC Policy Profile (a.k.a. Bandwidth Policy).
    2. Create a Region and make sure you enable the "Enable audio alternate path" option.
    3. Create your Sites, link them to a Region, and assign your Bandwidth Policy (a.k.a. Policy Profile).
    4. Create your Subnets and assign them to a Site.
    5. Optional: If you have multiple Regions, you need to do two things. First, you need to create a Region link stitching together both Regions (i.e. Canada_to_USA_Region_Link). Second, you must create a Region Route even if you have only one Region Link....more on this later.
    Enable audio alternate path in your Region

    Once you have the network configuration portion complete, you need to make sure you've configured a voice policy for your users which permit rerouting of phone calls and finally enable CAC in your global network configuration.

    Enable call admission control in your Global network configuration

    Enable PSTN reroute on your voice policy for your users

    So with all this configured, let's talk about what happens when you call someone over a link which is bandwidth constrained, has a CAC policy, and doesn't have enough bandwidth. Here's the story:

    Jason is in Edmonton where he has a Branch Survivable Gateway.

    Anton is in Calgary where he sits next to the Front-End server, Mediation Server, and a Direct SIP connection to Cisco Call Manager.

    Both Edmonton and Calgary are connected by a WAN link which is limited to 10Mb.

    Jason has a voice policy with the "Enable PSTN reroute" option set to 'enabled' and the "Enable bandwidth policy override" option set to 'disabled'.

    Jason calls Anton using his Lync 2010 client.

    Both users are in the "Canada" Region which has the option for "Enable audio alternate path" enabled.

    The Canada Region contains both the Calgary and Edmonton Site.

    The Edmonton site has a bandwidth policy which, based on current bandwidth consumption, is fully consumed. This would normally prevent the call from proceeding.

    Instead of the CAC policy stopping the call or sending it to Anton's voicemail, the call is rerouted out Jason's local PSTN gateway as configured in his Lync Server topology.

    Nice eh?

    Well what happens if "Enable PSTN reroute" isn't turned on in Jason's voice policy? Well the call would end up being answered by Exchange UM or simply denied with a message being displayed to the user.

    What if Jason's voice policy has "Enable bandwidth policy override" turned on? Well the call would proceed over the WAN without obeying the CAC policy. You may want to enable this option for special voice policies tied to certain staff members.

    What if Anton's voice policy doesn't have the "Enable bandwidth policy override" turned on and Jason calls him and his IS turned on? Well the call will be denied as CAC works both ways. The only way for the call to proceed is if Jason's policy permits PSTN reroute.

    Now I'm still learning the underlying framework here and a lot of the "how it works" along with answers to questions in my head remain unanswered. I'll update this post with more detail as it becomes available.


    p.s. This ain't your momma's CAC....

    Monday, January 17, 2011

    RESOLVED: The WS-Management service cannot process the request. The user load quota of 1000 requests per 2 seconds has been exceeded. Send future requests at a slower rate or raise the quota for this user. The next request from this user will not be approved for at least Z milliseconds.

    I did some digging around for this one and found a few crafty articles about adjusting throttling policies using PowerShell and making changes through ADSIEdit (http://reidablog.blogspot.com/). However, none of these seemed to fix my issue.

    We had a newly built Exchange 2010 SP1 server which was ready to go into production but kept throwing the error when attempting to use PowerShell. Two other servers appeared to be running fine.

    The server had recently received a new SSL certificate using the Exchange 2010 certificate provisioning and assignment process in the GUI. Unfortunately the IIS service hadn't been restarted yet and the URL used for remote PowerShell was using a certificate which wasn't trusted or valid anymore.

    A quick "IISRESET" on the server resulted in my fix.


    Saturday, January 15, 2011

    HOW TO: Change default Lync Server 2010 meeting entry and exit announcements

    Back in OCS 2007 R2 when you joined an audio conference as a PSTN participant the server would sound off with a "bong" when a person joined or left the meeting.

    With Lync Server 2010 you don't get an audible notification of participants at all. As a meeting organizer you can configure entry/exit announcements using the Online Meeting Options page:

    However, when you do this, the conference changes from using your assigned conference ID to a random ID each time you book a meeting. Additionally I've noticed the meeting plugin has a bug where the formatting is lost on a change of any kind using the meeting options. Hopefully this is changed soon.

    Instead of messing about on the client side, you can modify the Global policy to turn on these announcements or create separate pool or site-based policies. You can configure these using the "Set-CsDialInConferencingConfiguration" command as follows:

    "Set-CsDialInConferencingConfiguration -Identity Global -EntryExitAnnouncementsEnabledByDefault:$True"

    You can also create different policies depending on each site, for example:

    "New-CsDialInConferencingConfiguration -Identity Site:Edmonton -EnableNameRecording:$False"
    "New-CsDialInConferencingConfiguration -Identity Site:Calgary -EntryExitAnnouncementsType ToneOnly"

    Well that's all for today.


    Friday, January 14, 2011

    HOWTO: Change video settings in Lync Server 2010

    Previously with OCS 2007 R2 the Administrator had the option of setting the maximum video resolution on a 'per pool' basis. This was done by right-clicking the server or pool and choosing the properties of the front-end server.

    BEFORE (OCS 2007 R2)

    With Lync Server 2010 this setting is now only accessible through PowerShell. To view the media configuration for Lync, run "Get-CsMediaConfiguration".

    AFTER (Lync Server 2010)

    You'll notice from the above screenshot that mine is set to use HD video; the default in Lync Server 2010 is VGA quality. To change this, use the "Set-CsMediaConfiguration -Identity Global -MaxVideoRateAllowed Hd720p15M". Possible options are Hd720p15M, VGA600K, and CIF250K.

    You can also create new media configurations on a per site or per service. For example, "New-CsMediaConfiguration -Identity Site:Edmonton -EnableQoS:$True".

    Just remember that you need two quad core PC's to do HD video! For a complete list of requirements, visit: http://technet.microsoft.com/en-us/ff536101.aspx

    Thursday, January 13, 2011

    HOWTO: Grant a dial plan to a common area phone in Lync Server 2010

    I suppose you have to read between the lines sometimes. I found this to be extremely frustrating.

    To create a new Common Area Phone:

    New-CsCommonAreaPhone -LineURI "tel:+17805551212;ext=5001" -RegistrarPool "pool01.contoso.com" -DisplayName "Common Area Phone" -SipAddress "sip:commonphone01@domain.com" -OU "OU=Common Phones,OU=Lync Objects,DC=contoso,DC=com"

    I typically like to set the SIPURI in the command so it shows a human readable name instead of a long GUID.

    Create a new Common Area Phone client and voice policy as follows:

    New-CsClientPolicy HotDeskPhonesPolicy -EnableHotdesking $True -HotdeskingTimeout 00:30:00

    New-CsVoicePolicy -id CAPvoicepolicy -AllowSimulRing $False -AllowCallForwarding $False -Name CAPVoicePolicy -EnableDelegation $False -EnableTeamCall $False -EnableCallTransfer $False

    Create a special conferencing policy for the phone as follows:

    New-CsConferencingPolicy -id CAPconferencingpolicy -AllowIPAudio $False -AllowIPVideo $False

    Now, after you've been though all this.......you can't dial numbers which need to be normalized. Do fix this, perform this step below. Personally I'd create a special dial plan for these phones but you can reuse an existing one if you wish.

    Get-CsCommonAreaPhone "Common Area Phone" | Grant-CsDialPlan -PolicyName "CAPDialPlan"

    To validate the phone indeed has this policy:

    Get-CsCommonAreaPhone "Common Area Phone" | Select DialPlan

    There seems to be a step missing in the Microsoft documentation which leads a person to believe you're done when you set the policies to the object you've created. Also, when you view the common area phone object through the "Get-CsCommonAreaPhone | FL" command, it doesn't show anything about a dial plan like the "Get-CsUser | FL" does.

    Wednesday, January 12, 2011

    VIDEO: How to enable call park and set music on hold


    Here is a quick video on how to enable call park in Lync Server 2010. Couple of things to note:

    1. When using WMA files, they need to be version 9 format encoded at 44khz, 16-bit, mono, CBR, 32kbps.
    2. When configuring a call park range, don't create a dial plan to normalize the numbers. Simply type in the range you want and the Lync client/server will understand what you're trying to call.
    3. You can use Microsoft Expression Encoder 4 (http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=75402be0-c603-4998-a79c-becdd197aa79) to record or re-encode files you want to upload for both call park and the announcement service.


    Want to see more videos? Let me know and I'll do my best to post them.

    Tuesday, January 11, 2011

    Troubleshooting steps: No audio, video, or desktop sharing with Lync Server topology

    We recently stood up our Lync 2010 Edge server and found a problem with audio/video functionality. The issue appeared to be related to firewall ports but we had recently swapped out our OCS 2007 R2 Edge for the Lync 2010 Edge server and none of the firewall port requirements have changed.

    We ended up doing a trace using the Lync Server 2010 Logging Tool. Here are the step-by-step instructions for troubleshooting it:

    1. Install the Lync Server 2010 Resource Kit if you haven't already (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=80cc5ce7-970d-4fd2-8731-d5d7d0829266)
    2. From the Lync Server 2010 Edge, open the Logging Tool.
    3. Enable S4, set the Level to "All", and turn on "All Flags" for the Flags section.
    4. Enable SIPStack and set the Level and Flags to the same as above.
    5. Get ready to place a call and be sure you have one test subject inside your network (behind the Edge server) and another person outside the organization (in front of the Edge server).
    6. Click the Start Logging button.
    7. Place the phone call or start a sharing session.
    8. Wait for it to fail and then click the Stop Logging button
    9. Click the Analyze Log Files button
    10. Click the Analyze button
    You should now have a capture of the SIP messages which will tell you how the call was trying to be established. 

    1. In the search window at the top, type in "INVITE" and hit Enter.
    2. Click on the INVITE sip:
      in the trace and scroll down the window on the right.
    3. Locate the area in blue where it states "a=candidate". You should see a 'candidate' entry for each IP bound to your local PC along with the Edge server's audio/video conferencing IP. 

    The Lync client will attempt to 'nail up the audio' between the path of least resistance. For example, if someone was on the same subnet (172.16.130.x) then a direct connection would be made between the two of us for audio/video and desktop sharing. If not, the next IP is tried. If you have your Edge server configured properly you should see the public IP. In my case I did not. My issue stemmed from a topology configuration which was incorrect. 

    When building the topology for your Lync Edge server, you'll be asked if your public IP is using NAT. In the section where this is discussed, other options are available which lead a person to believe the public IP they're talking about has to do with the Access Edge role and not A/V Edge. 

    My SIP trace showed the INVITE with a candidate IP of my Access Edge role which lead me to realize the issue and change it. Specifically I had to open Topology Builder, expand the Edge Pool section, click on the Edge server, then click Edit Properties. The top section has a checkbox for "NAT enabled public IP address used". This is very poorly worded and should be changed for future builds. The text should read "Use NAT for your Audio/Video Edge public IP" or "Enter the public IP for your Audio/Video Edge role if you're using NAT".

    Thinking about it more and more I understand why there is only one entry for a public IP and not one for Access Edge or Web Conferencing Edge. It's just not very clear.

    Anyway, I hope this helps a few of you out there with Lync Server 2010 Edge implementations.


    Unable to sign into Lync with MOC client (Windows XP and 7)

    I came across an interesting problem recently where some Windows XP and Windows 7 clients running Communicator 2007 R2 couldn't sign in over a Lync 2010 Edge server. We had migrated our environment from a 2007 R2 Edge to a Lync Edge server and all Lync 2010 clients were fine.

    After making a few calls and doing some research I found this article: http://blog.tiensivu.com/aaron/archives/1917-OCS-2007,-NTLM,-and-Edge-server-login-problems.html

    As it turns out we had to disable the requirement for 128-bit encryption on the Edge and Front-End Lync 2010 servers for it to be resolved. No reboot was required. See the above link for instructions on how to do so.

    Wednesday, January 5, 2011

    No audio, video, or desktop sharing in Lync Server with OCS 2007 R2 Edge

    Recently I built up our own internal Lync 2010 Server and thought I had done all the necessary configuration changes to integrate the product with our OCS 2007 R2 platform.

    After moving my account over to the Lync 2010 environment and performing a few tests I could quickly see there were a few features which didn't work. I did remember to set the Federation Route at the site level but missed a step at the server level.

    If you're running into an issue with remote audio/video and desktop sharing, this might be the fix for you:

    1. Open Lync 2010 Topology Builder
    2. Expand the section containing your Lync 2010 server (standard or enterprise)
    3. Click on the server you want to modify and choose 'Edit Properties' from the right side of the console
    4. Scroll down to the associations section and make sure you have a checkbox in the 'Associate Edge pool (for media components)' section. 
    If you don't have an option to choose anything for the Edge pool, you haven't specified the OCS 2007 R2 edge server when you merged your topology. If you haven't merged your topology at all, you're reading the wrong article. Go here: http://technet.microsoft.com/en-us/library/gg413057.aspx